Don't Be Surprised by a Cyber Attack: Prepare, Respond, Recover

Cyber attacks have become inevitable, but companies that prepare for how to respond can "shrink the problem" and minimize the impact of any security breach.

With computer hackers grabbing gigabytes of data from JPMorgan and four other major US banks over the past month, it’s no secret that cyber criminals are targeting financial services companies.

Since hackers are slipping in through phishing emails and other means, firms need to prepare for the inevitable attack, which is no longer “if” but “when and how bad,” cautions John Pironti, president of IP Architects plc, a risk advisory and consulting firm in New York.

Pironti says the problem is some companies are reactive rather than proactive in planning for a cyber security event that can quickly lead to business disruption, monetary losses, and reputational damage.

Proactive companies will prepare for when “a bad thing happens” so that they can understand how bad it is and what processes they should care about, says Pironti. He is running an all-day workshop called “Acknowledge the Inevitable: How to Prepare For, Respond to, and Recover From a Security Incident” at Interop on Sept. 30.

To avoid being flat-footed, business and technology teams need to manage their vulnerabilities and understand the risk profile of the organization. “These are all things to know upfront,” asserts Pironti.

Since the threat landscape is diverse and growing, organizations should zero in on the probability and impact of specific threats. There are lots of things that could happen. The key is to “shrink the problem,” says Pironti. “Focus on the probability and impact of specific threats. This way, firms can focus their energy and attention and develop a way to minimize the impact of those threats or reduce them to an acceptable level.”

What is your appetite for risk?Recognizing that an incident is going to occur, the first step is to develop an information risk profile. Pironti likens this to “a pain chart.” It helps companies understand their risk level and then figure out at what stages and what level of resources do they apply and at what point do they engage outside help. Every organization has its own risk tolerances. Some are sensitive to brand, to financial operations being unavailable -- such as transaction-based systems. With the risk chart in place, both sides can agree to build the tools and the technology to protect that level of risk.

In the past, there’s been some skepticism over whether security’s recommendations were necessary. Some view security “as a tax” on the business, notes Pironti, adding that the business side often sees the security professionals as living in an ivory tower. That is why it’s important to do the risk assessment first and implement security second, he says.

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio